diff options
author | Patrick Cloke <patrickc@matrix.org> | 2020-10-15 10:18:02 -0400 |
---|---|---|
committer | Patrick Cloke <patrickc@matrix.org> | 2020-10-15 10:18:02 -0400 |
commit | f49708dee3c46be87a23a934ecba17e7e58d4b16 (patch) | |
tree | 9da3545add8672988c4896c8fdb9860e8a2d7085 | |
parent | 1.21.2 (diff) | |
download | synapse-f49708dee3c46be87a23a934ecba17e7e58d4b16.tar.xz |
Add additional release notes.
Diffstat (limited to '')
-rw-r--r-- | CHANGES.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 6ef499bd9e..af5a9bafb8 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,10 +1,23 @@ Synapse 1.21.2 (2020-10-15) =========================== +Security advisory +----------------- + +* HTML pages served via Synapse were vulernable to cross-site scripting (XSS) + attacks. All server administrators are encouraged to upgrade. + ([34ff8da8](https://github.com/matrix-org/synapse/commit/34ff8da83b54024289f515c6d73e6b486574d699)) + ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891)) + + This fix was originally included in v1.21.0 but was missing a security advisory. + + This was reported by [Denis Kasak](https://github.com/dkasak). + Bugfixes -------- - Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](https://github.com/matrix-org/synapse/issues/8530)) +- Fix issues introduced in the packaging of v1.21.1 when using OpenID Connect with the Docker or Debian packages by including an updated version of the authlib dependency. Synapse 1.21.1 (2020-10-13) |